Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:36
Behavioral task
behavioral1
Sample
CondoGenerator.exe
Resource
win7-20241023-en
General
-
Target
CondoGenerator.exe
-
Size
3.1MB
-
MD5
5da0a355dcd44b29fdd27a5eba904d8d
-
SHA1
1099e489937a644376653ab4b5921da9527f50a9
-
SHA256
e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
-
SHA512
289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6
-
SSDEEP
49152:3viI22SsaNYfdPBldt698dBcjHFfRJ6fbR3LoGd5THHB72eh2NT:3vv22SsaNYfdPBldt6+dBcjHFfRJ6x
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.79:4782
956eafb2-7482-407b-bff4-d2b57a1c3d75
-
encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 9 IoCs
resource yara_rule behavioral1/memory/2804-1-0x0000000000DD0000-0x00000000010F4000-memory.dmp family_quasar behavioral1/files/0x000800000001610d-6.dat family_quasar behavioral1/memory/2448-8-0x0000000000330000-0x0000000000654000-memory.dmp family_quasar behavioral1/memory/2524-23-0x00000000012C0000-0x00000000015E4000-memory.dmp family_quasar behavioral1/memory/2184-45-0x00000000003F0000-0x0000000000714000-memory.dmp family_quasar behavioral1/memory/1104-57-0x00000000011A0000-0x00000000014C4000-memory.dmp family_quasar behavioral1/memory/872-69-0x0000000001290000-0x00000000015B4000-memory.dmp family_quasar behavioral1/memory/304-124-0x00000000003C0000-0x00000000006E4000-memory.dmp family_quasar behavioral1/memory/568-135-0x0000000000A30000-0x0000000000D54000-memory.dmp family_quasar -
Executes dropped EXE 12 IoCs
pid Process 2448 Client.exe 2524 Client.exe 3000 Client.exe 2184 Client.exe 1104 Client.exe 872 Client.exe 2668 Client.exe 2988 Client.exe 2748 Client.exe 2224 Client.exe 304 Client.exe 568 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1336 PING.EXE 2648 PING.EXE 1968 PING.EXE 1708 PING.EXE 972 PING.EXE 1544 PING.EXE 2764 PING.EXE 2700 PING.EXE 1912 PING.EXE 1548 PING.EXE 2492 PING.EXE 1864 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
pid Process 1968 PING.EXE 1544 PING.EXE 2764 PING.EXE 2700 PING.EXE 1336 PING.EXE 1548 PING.EXE 1708 PING.EXE 972 PING.EXE 2492 PING.EXE 1864 PING.EXE 1912 PING.EXE 2648 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2868 schtasks.exe 2144 schtasks.exe 2852 schtasks.exe 2404 schtasks.exe 1960 schtasks.exe 1656 schtasks.exe 2872 schtasks.exe 1720 schtasks.exe 1424 schtasks.exe 2380 schtasks.exe 2316 schtasks.exe 592 schtasks.exe 2416 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2804 CondoGenerator.exe Token: SeDebugPrivilege 2448 Client.exe Token: SeDebugPrivilege 2524 Client.exe Token: SeDebugPrivilege 3000 Client.exe Token: SeDebugPrivilege 2184 Client.exe Token: SeDebugPrivilege 1104 Client.exe Token: SeDebugPrivilege 872 Client.exe Token: SeDebugPrivilege 2668 Client.exe Token: SeDebugPrivilege 2988 Client.exe Token: SeDebugPrivilege 2748 Client.exe Token: SeDebugPrivilege 2224 Client.exe Token: SeDebugPrivilege 304 Client.exe Token: SeDebugPrivilege 568 Client.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2448 Client.exe 2524 Client.exe 3000 Client.exe 2184 Client.exe 1104 Client.exe 872 Client.exe 2668 Client.exe 2988 Client.exe 2748 Client.exe 2224 Client.exe 304 Client.exe 568 Client.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2448 Client.exe 2524 Client.exe 3000 Client.exe 2184 Client.exe 1104 Client.exe 872 Client.exe 2668 Client.exe 2988 Client.exe 2748 Client.exe 2224 Client.exe 304 Client.exe 568 Client.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2448 Client.exe 2524 Client.exe 3000 Client.exe 2184 Client.exe 1104 Client.exe 872 Client.exe 2668 Client.exe 2988 Client.exe 2748 Client.exe 2224 Client.exe 304 Client.exe 568 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2316 2804 CondoGenerator.exe 30 PID 2804 wrote to memory of 2316 2804 CondoGenerator.exe 30 PID 2804 wrote to memory of 2316 2804 CondoGenerator.exe 30 PID 2804 wrote to memory of 2448 2804 CondoGenerator.exe 32 PID 2804 wrote to memory of 2448 2804 CondoGenerator.exe 32 PID 2804 wrote to memory of 2448 2804 CondoGenerator.exe 32 PID 2448 wrote to memory of 2852 2448 Client.exe 33 PID 2448 wrote to memory of 2852 2448 Client.exe 33 PID 2448 wrote to memory of 2852 2448 Client.exe 33 PID 2448 wrote to memory of 2828 2448 Client.exe 35 PID 2448 wrote to memory of 2828 2448 Client.exe 35 PID 2448 wrote to memory of 2828 2448 Client.exe 35 PID 2828 wrote to memory of 2444 2828 cmd.exe 37 PID 2828 wrote to memory of 2444 2828 cmd.exe 37 PID 2828 wrote to memory of 2444 2828 cmd.exe 37 PID 2828 wrote to memory of 1548 2828 cmd.exe 38 PID 2828 wrote to memory of 1548 2828 cmd.exe 38 PID 2828 wrote to memory of 1548 2828 cmd.exe 38 PID 2828 wrote to memory of 2524 2828 cmd.exe 39 PID 2828 wrote to memory of 2524 2828 cmd.exe 39 PID 2828 wrote to memory of 2524 2828 cmd.exe 39 PID 2524 wrote to memory of 2404 2524 Client.exe 40 PID 2524 wrote to memory of 2404 2524 Client.exe 40 PID 2524 wrote to memory of 2404 2524 Client.exe 40 PID 2524 wrote to memory of 2728 2524 Client.exe 42 PID 2524 wrote to memory of 2728 2524 Client.exe 42 PID 2524 wrote to memory of 2728 2524 Client.exe 42 PID 2728 wrote to memory of 1440 2728 cmd.exe 44 PID 2728 wrote to memory of 1440 2728 cmd.exe 44 PID 2728 wrote to memory of 1440 2728 cmd.exe 44 PID 2728 wrote to memory of 2648 2728 cmd.exe 45 PID 2728 wrote to memory of 2648 2728 cmd.exe 45 PID 2728 wrote to memory of 2648 2728 cmd.exe 45 PID 2728 wrote to memory of 3000 2728 cmd.exe 46 PID 2728 wrote to memory of 3000 2728 cmd.exe 46 PID 2728 wrote to memory of 3000 2728 cmd.exe 46 PID 3000 wrote to memory of 592 3000 Client.exe 47 PID 3000 wrote to memory of 592 3000 Client.exe 47 PID 3000 wrote to memory of 592 3000 Client.exe 47 PID 3000 wrote to memory of 2720 3000 Client.exe 49 PID 3000 wrote to memory of 2720 3000 Client.exe 49 PID 3000 wrote to memory of 2720 3000 Client.exe 49 PID 2720 wrote to memory of 2324 2720 cmd.exe 51 PID 2720 wrote to memory of 2324 2720 cmd.exe 51 PID 2720 wrote to memory of 2324 2720 cmd.exe 51 PID 2720 wrote to memory of 1968 2720 cmd.exe 52 PID 2720 wrote to memory of 1968 2720 cmd.exe 52 PID 2720 wrote to memory of 1968 2720 cmd.exe 52 PID 2720 wrote to memory of 2184 2720 cmd.exe 54 PID 2720 wrote to memory of 2184 2720 cmd.exe 54 PID 2720 wrote to memory of 2184 2720 cmd.exe 54 PID 2184 wrote to memory of 2416 2184 Client.exe 55 PID 2184 wrote to memory of 2416 2184 Client.exe 55 PID 2184 wrote to memory of 2416 2184 Client.exe 55 PID 2184 wrote to memory of 1744 2184 Client.exe 57 PID 2184 wrote to memory of 1744 2184 Client.exe 57 PID 2184 wrote to memory of 1744 2184 Client.exe 57 PID 1744 wrote to memory of 1572 1744 cmd.exe 59 PID 1744 wrote to memory of 1572 1744 cmd.exe 59 PID 1744 wrote to memory of 1572 1744 cmd.exe 59 PID 1744 wrote to memory of 1708 1744 cmd.exe 60 PID 1744 wrote to memory of 1708 1744 cmd.exe 60 PID 1744 wrote to memory of 1708 1744 cmd.exe 60 PID 1744 wrote to memory of 1104 1744 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CondoGenerator.exe"C:\Users\Admin\AppData\Local\Temp\CondoGenerator.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2852
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\o2QlKV4PUt1I.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2444
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1548
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2404
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GYHDFmqenu5o.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2648
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:592
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kznN19BhPygq.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2324
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1968
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2416
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HmTrE1LCrPBn.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1708
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1104 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1960
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\in7ZuXdZkzAm.bat" "11⤵PID:1664
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:972
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:872 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1656
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zhmAxIwBt0m4.bat" "13⤵PID:1904
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2856
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1544
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2668 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2872
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ngdW8vghDopv.bat" "15⤵PID:2112
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2764
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2988 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1720
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0e40iwRXDi05.bat" "17⤵PID:2892
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2156
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2700
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2868
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ibXeUOBEkNin.bat" "19⤵PID:1432
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1420
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2492
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2144
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hVlUDWhjPI1L.bat" "21⤵PID:1784
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1864
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:304 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1424
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1E9uMOj0hTgv.bat" "23⤵PID:1484
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1280
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1336
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:568 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2380
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zP00l2W2jU5s.bat" "25⤵PID:912
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2600
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5644f2f5b9a5bbe82e17045213f648da5
SHA1da3b5864d836f867022b05f7ff5cbc7a906465e1
SHA256f936d5add7a7bb5b037301af2c7dd0bbbddfbbe90eaa2c7885651d868e56afa8
SHA5124d6e59231cddfe43902c04cb45029a3cd8dd8e0de08161a17bb8b4a1cdacfa925091498887ae88302f838933fd5744de7e3428a31e3fd84445ba6b357865e5ad
-
Filesize
207B
MD57c16f5bde2cd81cce11fb21471aa2b83
SHA19b0e8960b87d9753aed73695b08bde427188a747
SHA2560df8753eb437952bf52c2e1e8a4b7ae8e363606b16916643393f5a06fac497a7
SHA51225063c945f67e1f8b9a106c5c36d7d760e8e8949662d6c20fca0451fe04ccd06dc4fec1ac406394f706a52fbe8bbdf9df610147e3e4ae532fc0638f7afa19c1b
-
Filesize
207B
MD534c182ad410384583165605e1c78fbbf
SHA1bf802130542c0ab5de68515d9eaddd5da9b42bb1
SHA256ea42572f4bb07b2fb2febec6cb523179b695ed174054bc503a546af5e38fc234
SHA5120739a683046f207170c414bcf6b0c85d4fe1ffefec3683940e8530a48cc7f8a734452352978e185f1ffc1ad02be46d552f4ed267a05fe172c781d162fb5a9daa
-
Filesize
207B
MD5c12098b64523317bfabf4195bb70bebe
SHA1e026b2138433af1c397cd4247dcaeef6c76d349b
SHA25639049194fc71fe23e8fcf80ecb80f09cf621d4b198cd3f29de67f6cfa7414ff3
SHA51225819fa23eb8fcfc06433c1ee91306c416d7e9a97eeeec14d20dbc0048f5443faf2c64d88ee84ccd3c8e338955fdcb1e91edf5b5501d26971a9bd1ac9159d488
-
Filesize
207B
MD55689b54d3e2048bfa88645b227736046
SHA1e1d2954cfdc758d732ab37b0e25d6f6408a033c5
SHA256ef322d2243576d540a339ee71505c27f4623c48f95f14a788ccc3c704c9be39e
SHA5120bbfcbb13282007eede84ee5fd534acadc9885bd29537040b7b6a6e8f3429c917ef16243409f8f083d82a65f08a74e3edda7dacebb566ac23c5c45865eb83fe3
-
Filesize
207B
MD5fb72c0e6dd670403a2a653e068e5bbfe
SHA190238213878008c52fcf49c6bea8ead4975b2fbf
SHA256eb4b2e45ed6ffa9b6859bdfbb80795f1ec068b14201c658ae05550308da69bbf
SHA512afda2bf18d5813affb741610cba8825b14f8398bdb640f3e8cd1006d88051149d0b9765981806ae58e2c9001b72c99503194fa32bfea4f3c85811b303388fd0f
-
Filesize
207B
MD50039a64d29199927a3f650616b3d0dfe
SHA1825c15113abb7ebe290814afc18aee79fb4af2e4
SHA256d912ccde8beffa2bba0da5656ec018526e4a9ef2c07ad9f54e61d3b6041b2361
SHA5126cf73065b3b6ce9714e5bc95d9a7a704b4db1cd5bdab789da1cf872d2e3db12e29da009811a63a8249e57d0b6385624f381148b00be4966dfd1c3fa67822522c
-
Filesize
207B
MD56d1b3b27054761daf8029c903f265600
SHA12aaa10257a702b4387bc03fb568a812fea6c621c
SHA2560278ad307866d98ade2bf08e8aa39d8c6184ad229744b1ae0d54c8ac1762fa9c
SHA5128c20f7e150a609f8b7fb57cd02254fbe9bd3531a5911aaec9b86f9b828aea24037ff0a48988fb93c1eb5a20cf6e0be4cbe5713cb09d45c0b3006266385536e11
-
Filesize
207B
MD5aabbebba806ed074b1a1fade074ca751
SHA1c77fe79bcc11edc0a11a17d9f44ef202c29d772b
SHA2568365e1ffa721ef4cfa75869f40af9fe63dc01d3febde591a8e0c3c588c57ff0c
SHA5127e1da25dac5cbea26c6b0aea011f933a4f8ae711e3f591c7d3e9a57ee9a9fd17a4fb6ca01605d02915458c29c653a1bca6623da0d3944f585e963a3c84640889
-
Filesize
207B
MD5e7ce28b2725d60df7b0d2d4ae57cc5e2
SHA15d9693d1f7f56623cfa43f13fc2cc6b0913c7956
SHA256dbce8f341b7338a7b04283b839091d1cd3a98a8c066d63902540cfad1ef85c29
SHA51237faf1fe8a6d972e069de12ee7cbc76fc12b99149201e2123c34d266c9974033b1a8c572be9a831aab3f427f00546a4b2f39d69ca83730d3a42738268f235e97
-
Filesize
207B
MD52fb753de9f1a0aeb4029418215e41765
SHA1d4b35ff169c61fd940926d69fad2974dc02237c5
SHA25665445274e5779eb1b21ade48f68554f59912717477e547134fffaa3ea5ee70e6
SHA5122578530c52875b9614396ca23b99fd4c582682eab44c5406bb8734603625e8a2f797c29b08d0426408352a96580434b44be80bc0718cfebfb1c10806bedbb5a0
-
Filesize
207B
MD576527a5fa222d7b0f9f864cff5c97de5
SHA186ce45171c620d68906db4781f724f256d8dcc05
SHA25614b67d5d00c7bd7ceaf575d0cd43071e9634c9d5f918469a362e1b07717ee9d3
SHA512f312c38357487161c5abe8b7ab760de91090a13bf90db8bee7c8a894b39a62cac11b3b71187e097cfbf235b957fd98f00700f9c5921177c18b7f28835a15ba7d
-
Filesize
3.1MB
MD55da0a355dcd44b29fdd27a5eba904d8d
SHA11099e489937a644376653ab4b5921da9527f50a9
SHA256e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
SHA512289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6